Monday, 2 February 2004

"Undertakings" by the USA on use of reservation data

As mentioned in an earlier article, Statewatch has posted the complete text of the 12 January 2004 draft "Undertakings of the [USA] Department of Homeland Security Bureau of Customs and Border Protection (CBP)" on transfers of airline reservations data (passenger name records, or PNR's ) from the European Union to the USA.

Normally I wouldn't go into such point-by-point technical and legal analysis. If it doesn't interest you, there are lots of other sorts of travel advice, tips, and consumer information elsewhere in this blog -- note the indexes of articles by category in the right-hand column -- on the rest of my Web site, and in my books .

But it's obvious on inspection to any travel agent or airline reservation representative that the "Undertakings" were written by people who've never seen a PNR, and have no idea what it contains, how the data is structured, or how it is entered.

Since I work with PNR's on a daily basis at Airtreks.com , and since my readers include Congressional and Parliamentary staff in several countries who need to evaluate the "Undertakings", it seems worth taking a few extra electrons here to explain how the "Undertakings" depart from reservation realities.

All this points to the need for a much more open process, in which privacy advocates with expertise in reservation data are involved in developing policies like these to govern their use.

The gory details are as follows (including minor updates and corrections to the list of PNR fields made 5 February 2004):

Legal Authority to Obtain PNR [2]

1) By legal statute (title 49, United States Code, section 44909( c ) (3)) and its implementing (interim) regulations (title 19, Code of Federal Regulations, section 122.49b), each air carrier operating passenger flights in foreign air transportation to or from the United States, must provide CBP (formerly, the U.S. Customs Service) with electronic access to PNR data to the extent it is collected and contained in the air carrier's automated reservation/departure control systems ("reservation systems");

This is a correct statement of the law, but the data proposed to be transferred substantially exceeds that required by the law, in 2 respects:

The requirements of USA law and regulations are limited to data on passengers . But the draft "Undertakings" provide for transfer of all PNR's associated with the flight, including those related to those who never actually become passengers: PNR's that were never ticketed, cancelled PNR's , PNR's that were changed to other flights (and may have been changed to routings not touching the USA), no-show PNR's, etc.

Neither the USA law nor regulations makes any mention of data transfer in advance of flights. Implicitly, they apply only from the time of flight departure ("wheels up"), since only at that time can it be determined who is a passenger, and who is merely a potential passenger.

The portion of the undertakings related to non-passenger PNR's, and to access to PNR's in advance of "wheels up", must be evaluated as providing for transfer of data not required by any USA law or regulation. It does not come under the exceptions to EU law or regulations for data required by law.

Use of PNR Data by CBP

2) Most data elements contained in PNR data can be obtained by CBP upon examining a data subject's airline ticket and other travel documents pursuant to its normal border control authority, but the ability to receive this data electronically will significantly enhance CBP's ability to facilitate bona fide travel and conduct efficient and effective advance risk assessment of passengers;

The point of this clause is to minimize the violation of rights inherent in mandatory government access to PNR's, by claiming that only the manner, not the content, of data access is changing from current inspection of tickets and travel documents by border control officers.

But this statement is false and deeply misleading. It betrays either gross technical incompetence or deliberate intent to mislead.

The majority of the data to be transferred cannot be determined from paper tickets.

An electronic ticket is included in the PNR, and there is no standard definition as to which portions of the PNR are included in the "electronic ticket". So it's unclear what "inspection of tickets" would even mean in the case of electronic tickets. But paper tickets remain common.

A couple of lines of free text can be printed in the "endorsement" box on paper tickets. Theoretically it could be used for anything (for a while, one nationalist travel agency in Athens was endoring every ticket they issued, "Macedonia is only Greek"), but normally the endorsement box isn't used for any of the other listed items.

9 of the 34 fields could sometimes or partially, but not fully or reliably, be determined from inspection of tickets.

Only 8 of the 34 fields could usually be determined from inspection of tickets.

5) With respect to the data elements identified as "OSI" and "SSI/SSR" (commonly referred to as general remarks and open fields),...

Actually, OSI/SSR data and general remarks are distinct, and are correctly distinguished as separate items on "Attachment A" (items 19 and 27).

... CBP's automated system will search those fields for any of the other data elements identified in "Attachment A". CBP personnel will not be authorized to manually review the full OSI and SSI/SSR fields unless the individual that is the subject of a PNR has been identified by CBP as high risk in relation to any of the purposes identified in paragraph 3 hereof;

Actually, as I have reported previously, I have been told by a source familiar with the CBP access logs, and have seen some sample extracts from the logs which confirm, that this is not happening -- CBP routinely reviews entirePNR's, including OSI/SSR data, remarks, and history.

6) Additional personal information sought as a direct result of PNR data will be obtained from sources outside the government only through lawful channels, and only for legitimate counterterrorism or law enforcement purposes.

In the absence of data protection law in the USA, almost any imaginable technique is a "lawful channel", so this seeming reassurance is hollow.

For example, if a credit card number is listed in a PNR, transaction information linked to that account may be sought, pursuant to lawful process, such as a subpoena issued by a grand jury or a court order, or as otherwise authorized by law.

The key to the emptiness of this assurance is the clause, "as otherwise authorized by law". In the absence of any data protection law, the USA government or any private actor is "authorized by law" to ask the airline, CRS, or anyone else in possession of data to hand it over, and they are "authorized by law" to hand it over -- without notice to, or consent of, the data subject.

Even if the party in possession of the data declines to turn it over, the USA government can compel disclosure of data (specifically including airline reservation data) by issuing a "national security letter" under the Patriot Act, which does not require any action or review by any officer of the judicial branch, and which can order that the disclosure be kept secret form the data subject or anyone else.

In order to review the "adequacy" of the CBP undertakings, the European Union must thus review the "adequacy" of the Patriot Act provisions for access to personal data, including airline reservations, through non-judicial "national security letters".

In addition, access to records related to e-mail accounts derived from a PNR will follow U.S. statutory requirements for subpoenas, court orders, warrants, and other processes as authorized by law, depending on the type of information being sought;

As above, under the Patriot Act, and in the absence of data protection, there is in general no USA statutory requirement for subpoenas, court orders, or warrants -- there are "other processes as authorized by law".

8) CBP may transfer PNRs on a bulk basis to the Transportation Security Administration (TSA) for purposes of TSA's testing of its Computer Assisted Passenger Prescreening System II (CAPPS II).

This isn't a side agreement (which would have required separate approval and consultation with the European Parlieament and the Article 29 Working Party of national data protection authorities. This is an integral part of the basic agreement, and Commissioner Bolkestein once again appears to have tried to mislead the European Parliament in his categorical statement that "the agreement" does not cover CAPPS-II.

12) With regard to the PNR data which CBP accesses (or receives) directly from the air carrier's reservation systems for purposes of identifying potential subjects for border examination, CBP personnel will only access (or receive) and use PNR data concerning persons whose travel includes a flight into, out of, or through the United States;

I've been told by a source familiar with the access logs that the CBP has accessed PNR data on other flights, including flights entirely within the EU.

14) CBP will pull PNR data associated with a particular flight no earlier than 72 hours prior to the departure of that flight,

I've been told by a source familiar with the access logs that the CBP has accessed PNR data as much as several weeks before the flight date.

18) Details regarding access to information in CBP databases (such as who, where, when (date and time) and any revisions to the data) are automatically recorded and routinely audited by the Office of Intemal Affairs to prevent unauthorized use of the system;

A critical question is whether the months of logs of the illegal access to date have been, or will be, subjected to such an audit before an agreement is finalized. From what I've been told by my source about the logs, and the excerpts I've received, they would not stand up to a sufficiently thorough and technically competent audit.

21) Unauthorized access by CBP personnel to air carrier reservation systems or the CBP computerized system which stores PNR is subject to strict disciplinary action

In theory, maybe, but the violations to date have not been punished. The way the the CBP has been using its access to reservation systems is scandalous, and the EU should insist on an independent audit before any finding that the purported internal CBP oversight provides "adequate" protection against.

31) For purposes of regulating the dissemination of PNR data which may be shared with other Designated Authorities, CBP is considered the "owner" of the data and such Designated Authorities are obligated by the express terms of disclosure to: (1) use the PNR data only for the purposes set forth in paragraph 29 or 34 herein, as applicable; (2) ensure the orderly disposal of PNR information that has been received, consistent with the Designated Authority's record retention procedures;

Here again, one must keep in mind that, since there is no general data protection law in the USA, the "Designated Authority's record retention procedures" may not exist, or may provide for indefinite retention.

39) CBP will undertake to rectify data at the request of passengers and crewmembers, air carriers or Data Protection Authorities (DPAs) in the EU Member States (to the extent specifically authorized by the data subject),

The undertakings here fail to take into consideration the rights of other data subjects, including airline, travel agency, and other reservation staff; persons from whom reservations are received for others; persons paying for tickets for others. Here again, it's not entirely clear if the negotiators of the undertakings were technically incompetent, or deliberately trying to evade acknowledgment of the scope of the data transfer and the range of data subjects it would implicate. (I discussed the other categories of data subjects at some length in my comments to the DHS on the CAPPS-II Privacy Act notice.)

Keep in mind that I am not a lawyer. Lawyers may well have additional criticisms. I've tried to focus on the technical problems, as an expert on travel reservations and their privacy implications.

The following 17 of the 34 PNR fields listed in "Attachment A" are never printed on or identifiable from inspection of paper tickets:

2. Date of reservation

5. Other names on PNR

6. Address

8. Billing address

9. Contact telephone numbers

11. Frequent flyer information (limited to miles flown and address(es)) [frequent flyer number might be shown on tickets, but never miles flown and never address on frequent flyer account]

16. Split/Divided PNR information

17. Email address

19. General remarks

23. No show history

25. Go show information [Update: Since writing this article, I've learned that this term is used by some airlines to describe a "walk-up" passenger, that is, someone who presents themselves without a ticket or reservation, and buys a ticket to travel immediately. Some airlines create a reservation on the spot for such a passenger. Other airlines simply sell them a ticket -- possibly an "open" ticket -- and board them as a stand-by passenger.]

26. OSI information

27. SSI/SSR information

28. Received from information [This identifies the person who requested the reservation, who might not be the traveller, e.g. a business associate, personal assistant, friend, family member, etc. This is a whole additional category of data subject whose rights must be considered and provided for, but haven't been.]

29. All historical changes to the PNR [The "history" is the audit travel, which includes every entry, change, or deletion to or from the PNR. The "history" thus includes every field in the PNR, and access to the history implies access to all PNR fields, whatever they might be, not just the list specified in Attachment "A". For there to be any meaningful limitation of which portions of the PNR are accessible, or any meaningful "filtering" of sensitive or other data, it is essential that the history be excluded from access or subjected to the same filtering by field and "sensitivity" of types of the information. But for technical reasons filtering the history would be significantly more difficult than filtering the rest of the PNR.]

30. Number of travelers on PNR

33. Any collected APIS information

The following 9 fields could sometimes or partially, but not fully or reliably, be determined from inspection of tickets (sometimes in conjunction with other indexes, e.g. a lookup table of travel agency names and addresses by IATA/ARC accreditation number to determine the travel agency and travel agent name and address from the agency number on the ticket):

1. PNR record locator code [Tickets don't always show any record locator, especially if issued "open". The record locator on the tickets is typically that of the CRS record from which the tickets were issued, which isn't necessarily the same as the record in the airline's host CRS, or of the record containing the "live" reservations and additional data, especially if the agent and airline use different CRS's, or if reservations are made by a retail travel agency but tickets are issued by a wholesaler.]

3. Date(s) of intended travel [The tickets could show only "open" in place of airlines, dates, and flight numbers, even if specific flights have been reserved in the PNR. And the PNR could include flights other than those included in the tickets used for the flight to or from the USA. It's also unclear if "All travel itinerary" is interned to include non-air travel segments that might be included in the same PNR, such as hotel or car hire reservations, tour or cruise bookings, etc., but these obviously wouldn't be indicated on airline tickets. Whether transfer of non-air PNR segments to the CBP is contemplated by the undertakings is a major question.]

7. All forms of payment information [If the person making payment is not the passenger, this would include information on yet another category of data subject]

10. All travel itinerary for specific PNR [In addition to the reservations for current flight, a PNR can and often does include reservations for other flights not yet ticketed, or ticketed separately, as well as non-air components of the traveller(s)' itnirary such as accommodations, car rental or rail reservations, tours, cruises, etc.]

12. Travel agency [Only the agency and agent issuing the ticket could be determined from the ticket; the agency(s) and agent(s) making the reservations could not -- frequently reservations are made by a retail agency, but tickets actually are issued by a wholesale consolidator.]

13. Travel agent [see above; this is also significant because it means that personal data on airline and travel agency staff, not just passengers and prospective passengers, will be transferred to the USA. There is the same problem with CAPPS-II: the DHS has falsely described it as implicating personal data of travellers only, ignoring its effect on other categories of data subjects including airline and travel agency workers.]

14. Code share PNR information

24. Bag tag numbers [Not on tickets, but baggage tags could be considered part of "travel documents", so this item is questionable.]

34. ATFQ fields

Only the following 8 of the 34 fields could usually be determined from inspection of tickets:

4. Name

15. Travel status of passenger

18. Ticketing field information

20. Ticket number

21. Seat number [Actually often determined at check-in, and only determined from boarding pass, not ticket, so this item reinforces the point that real passenger data is only available on departure of the flight, and no sooner]

"Congress shall make no law ... abridging ... the right of the people peaceably to assemble." (U.S. Constitution)

"Everyone has the right to freedom of movement and residence within the borders of each state. Everyone has the right to leave any country, including his own, and to return to his country." (Universal Declaration of Human Rights)

"Liberty of movement is an indispensable condition for the free development of a person." (United Nations Human Rights Committee)